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The NASA Engineering & Safety Center (NESC) 
GN&C Technical Discipline Team (TDT): 

Its Purpose, Practices and Experiences 

Cornelius J. Dennehy 1 

NASA Engineering and Safety Center (NESC) 


The NASA Engineering and Safety Center (NESC), initially formed in 2003, is an 
independently funded NASA Program whose dedicated team of technical experts provides 
objective engineering and safety assessments of critical, high risk projects. NESC’s strength 
is rooted in the diverse perspectives and broad knowledge base that add value to its 
products, affording customers a responsive, alternate path for assessing and preventing 
technical problems while protecting vital human and national resources. The Guidance, 
Navigation, and Control (GN&C) Technical Discipline Team (TDT) is one of fifteen such 
discipline-focused teams within the NESC organization. The TDT membership is composed 
of GN&C specialists from across NASA and its partner organizations in other government 
agencies, industry, national laboratories, and universities. This paper will briefly define the 
vision, mission, and purpose of the NESC organization. The role of the GN&C TDT will then 
be described in detail along with an overview of how this team operates and engages in its 
objective engineering and safety assessments of critical NASA projects. This paper will then 
describe key issues and findings from several of the recent GN&C-related engineering 
independent assessments and consultations performed and/or supported by the NESC 
GN&C TDT. 


I. Introduction 


HE NASA Engineering Safety Center (NESC), initially formed in 2003 in the wake of the Columbia tragedy, 

is an example of a One-NASA Program. NESC is an independently funded NASA program whose dedicated team 
of technical experts coordinates and conducts objective engineering and safety assessments of critical, high risk 
projects. The NESC is a strong technical resource for customers and stakeholders seeking responsive service for 
solving the Agency’s difficult problems. NESC’s strength is rooted in the diverse perspectives and broad knowledge 
base that add value to its products, affording customers a responsive, alternate path for assessing and preventing 
technical problems while protecting vital human and national resources. NESC provides timely technical positions 
to its customers and stakeholders based on independent test and analysis, not opinion. 

By encouraging alternative viewpoints and ensuring objective reporting methods, NESC is able to serve as a 
uniquely unbiased assessment resource. NESC’s technical evaluation and consultation products are delivered in the 
form of written reports that include solution-driven, preventative, and corrective recommendations. In October of 
2005 the NESC initiated its 100 th technical assessment. The NESC communicates its Lessons Learned from each 
assessment to NASA’s leadership through bi-annual briefings and to engineers through both the Agency Lesson 
Learned system and a series of NESC Technical Bulletins issued periodically. These communication channels 
function to inform the NASA technical community and, therefore, NESC’s customers and stakeholders. NESC’s 
range of services includes testing, analysis, and data review in fifteen engineering disciplines. The NESC also 
engages in proactive discipline advancing activities. 
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The GN&C Technical Discipline Team (TDT), the primary subject of this paper, is one of fifteen (15) such 
discipline-focused teams within the NESC organization. It is formed, maintained and led by the NASA Technical 
Fellow for GN&C. The TDT membership is composed of senior GN&C engineers from across NASA’s Field 
Centers as well as from its partner organizations in other government agencies, industry, national laboratories, and 
universities. 

This paper will briefly define the vision, mission, and purpose of the NESC organization. The role of the GN&C 
TDT will then be described in detail along with an overview of how this team operates and engages in its objective 
engineering and safety assessments of critical NASA projects. This paper will then describe key issues and findings 
from several of the recent GN&C-related independent assessments and consultations performed and/or supported by 
the NESC GN&C TDT. Among the examples of the GN&C TDT’s work that will be addressed in this paper are the 
following: the Space Shuttle Orbiter Repair Maneuver (ORM) assessment, the ISS CMG failure root cause 
assessment, the Demonstration of Autonomous Rendezvous Technologies (DART) spacecraft mishap consultation, 
the Phoenix Mars lander thruster-based controllability consultation, the NASA in-house Crew Exploration Vehicle 
(CEV) Smart Buyer assessment and the assessment of key engineering considerations for the Design, Development, 
Test & Evaluation (DDT&E) of robust and reliable GN&C systems for human-rated spacecraft. 

The role of the GN&C TDT in supporting the goals of the NESC Academy will also be highlighted in this paper. 
The NESC Academy serves to foster NESC’s commitment to engineering excellence by capturing and passing 
along, to NASA’s next generation of engineers, the collective professional experiences of the NASA Technical 
Fellows and their TDTs. 


II. NESC Vision, Mission, and Organization 

One of the tenets of an effective safety philosophy is to provide an avenue for independent assessment of the 
technical aspects and risks of critical systems. NESC offers this alternate reporting path for all NASA programs and 
projects. 

The vision that NESC has for itself is to serve as the independent and objective deep technical resource of choice 
for NASA Programs and other government agencies. As its fundamental mission the NESC strives to set the 
example for engineering and technical excellence within NASA. The primary purpose of this independent and 
objective organization is to increase safety through engineering excellence. NESC collaborates with its customers 
and stakeholders to ensure the safety and success of their programs and projects. A resource for the Agency, the 
NESC is a unique and valuable asset for the high-risk programs that NASA undertakes. 

At the core of the NESC is an established knowledge base of technical specialists pulled from the ten NASA 
Centers and from a group of partner organizations external to the Agency. This ready group of engineering experts is 
organized into 15 discipline areas called Technical Discipline Teams (TDTs). TDT members are drawn from NASA, 
industry, academia, and other government agencies. By drawing on the minds of leading engineers from across the 
country, the NESC consistently solves technical problems, deepens its knowledge base, strengthens its technical 
capabilities, and broadens its perspectives, thereby further executing its commitment to engineering excellence. 

The organizational structure of the NESC is based on maintaining a diverse and broad base of knowledge, 
keeping informed and engaged with each Center and the Agency’s major programs, responding efficiently to 
requests for assistance, and retaining a high degree of independence. There are some 50+ full-time NESC-badged 
employees, the majority of which are based at NESC Fleadquarters located at NASA’s Langley Research Center in 
Hampton, Virginia. Over 550 other engineers nationwide are employed part-time by NESC as the members of the 
15 TDTs. 

To achieve the goals stated above, the NESC is organized into six distinct offices: 

NASA Technical Fellows assemble, maintain and provide leadership for the TDTs and are stewards for their 
disciplines. The Technical Fellows serve as the senior technical experts for the Agency in support of the Office 
of the Chief Engineer and the NESC. They are an independent resource to the Agency and industry to resolve 
complex issues in their respective discipline areas. While they all lead their own NESC TDTs some Technical 
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Fellows may, in addition, also lead Agency-wide discipline Working Groups. Specifically, the Technical Fellows 
are responsible for: 1) fostering consistency of Agency-level standards and specifications, 2) promoting 
discipline stewardship through workshops, conferences and discipline advancing activities, and 3) ensuring that 
Lessons Learned are identified and incorporated into Agency processes. 

NESC Chief Engineers provide insight into their Centers’ programs and help to coordinate the facilities and 
resources of each Center when required to support NESC activities. NESC also proactively exploits its network 
of Center-based Chief Engineers for outreach to and communications with the broad NASA community. The 
Chief Engineers also coordinate with the NASA Technical Fellows in the process of identifying potential 
discipline issues and problems to be addressed proactively by the NESC. 

Principal Engineers use TDT members provided by the NASA Technical Fellows and resources arranged by 
the NESC Chief Engineers to lead independent technical reviews, assessments, tests, and analyses. 

The Systems Engineering Office dispositions requests as they come in, performs proactive trending analysis 
and problem identification, and provides other integration and system engineering support. 

The Management and Technical Support Office is the business arm of the NESC, taking care of the 
contracting, budgeting, and management of the NESC’s infrastructure. 

Under the leadership of the NESC Director’s Office, these five components come together to form the heart of 
the NESC — the NESC Review Board (NRB). The life cycle, from initial assessment plans to interim status 
briefings to final reports, of every formal activity performed by the NESC requires approval of the NRB. The NRB 
is a vital peer review process for the NESC which directly supports the development of high quality end products for 
stakeholders. All NESC reports must be reviewed and approved by the NRB prior to out-briefing the stakeholders. 
The NRB brings a diversity of thought to the decision-making process. It is an amalgam of people representing 
different Centers, programs, and engineering backgrounds. 

After an activity performed by the NESC has concluded, results are delivered to the stakeholders in the form of 
written engineering reports that include solution-driven preventative and corrective recommendations. The NESC 
strives to set the example for the Agency by providing full and appropriate documentation of every activity. Along 
with each report, lessons learned are communicated to Agency leadership and to engineers through avenues such as 
the Agency’s Lessons Learned system, the reports themselves, and the periodic NESC Technical Bulletins. 

In addition to acting on requests from outside of the NESC, another important function of the NESC is to engage 
in proactive investigations to identify and address potential concerns before they become major problems. To further 
this goal, the NESC is currently leading NASA’s efforts for independent data mining and trend analysis. The 
NESC has established a Data Mining and Trending Working Group that includes representatives from all NASA 
Centers as well as external to the Agency. 

III. NESC GN&C TDT 

The GN&C Technical Discipline Team (TDT) is a technical resource that supports the NESC and the NESC 
Review Board (NRB)-approved independent assessment teams. The primary purpose of the GN&C TDT is to 
engage in the resolution of GN&C related issues throughout the agency when directed by the NRB or by NESC 
senior leadership. A secondary purpose of the GN&C TDT is to proactively identify Agency-wide GN&C 
engineering discipline issues and problems. 

The GN&C TDT is assembled, maintained and managed by the NASA Technical Fellow for GN&C. The 
GN&C resources (subject matter experts, tools, and test facilities) required to support the assessment teams and 
other GN&C-specific NESC activities come from the TDT. The GN&C TDT is cognizant of all GN&C related 
assessments to ensure adequate and timely GN&C expertise support. This is accomplished via bi-weekly 
teleconference meetings and also with annual face-to-face meetings of the TDT. These and other communication 
mechanisms (e.g. a NESC-internal GN&C TDT secure website has been established to post team news and other 
information) are used to unite the TDT members located across NASA. 
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The GN&C TDT consists of individuals that are experts in a wide range of GN&C sub-disciplines including 
GN&C systems, GN&C analysis, GN&C components and hardware systems (sensors, actuators, interfacing 
hardware systems), GN&C software, flight dynamics, mission design, flight operations, launch vehicle flight 
mechanics analyses, and launch vehicle guidance systems. As mentioned above, this team of experts collectively 
serves as discipline "think tank” to identify potential GN&C issues and problems to address proactively by the 
NESC. 

Given the wide-breath and depth required to adequately staff the GN&C TDT as well as to support multiple 
assessments simultaneously, a staffing model has been developed to recruit and staff the GN&C discipline TDT. 
This staffing model requires skill sets representing discipline systems experts, sub-discipline specific experts, and 
technical team support personnel. The GN&C TDT consists of a “core” group of approximately 20-30 discipline 
systems experts. It also consists of an extended team of about 6 specific experts from each of the sub-discipline 
areas of expertise that encompass the broad scope of the GN&C discipline at NASA. These sub-discipline experts 
are on call-up to the NASA Technical Fellow and to the core team. Approximately 100 GN&C experts, the majority 
of them being NASA Civil Servant employees from across the Agency, currently comprise the entire NESC GN&C 
TDT. When the operational function of the GN&C discipline TDT is constrained by limited Agency in-house 
staffing resources, additional GN&C discipline expertise from outside the NASA community (e.g., industry and 
academia) are exploited to augment the TDT membership. 

The members of the “core” group are senior level individuals from across the Agency that has broad, but expert 
knowledge. These senior experts have in-depth knowledge of one, or several, GN&C expertise areas, but probably 
not all the GN&C areas of expertise. The individuals who make up the TDT’s “core” group possess exemplary 
leadership and teamwork skills since they both represent their Center’s GN&C engineering organization and also 
serve as the GN&C leadership interface to the NESC’s assessment teams. 

The sub-discipline specific experts are individuals that have in-depth experience and expertise in a specific 
GN&C area. These specific areas are defined by the TDT core group. For example, on the GN&C TDT, there will 
be sub-discipline experts in the following areas: inertial sensors, GPS navigation, spacecraft attitude determination 
and control, stellar/celestial sensors, formation flying, flight dynamics, aeronautical vehicle flight control, inter- 
planetary navigation, flight mechanics, reaction wheels, control moment gyros, controls structures interaction, 
mission design, launch vehicle guidance and control, etc. 

The technical support group is the third and last major component of the GN&C TDT. The technical support 
group is a small (about 3-5 people) contingent of individuals that support the NASA Technical Fellow for GN&C in 
the day-to-day management and operation of the GN&C TDT. These are typically GN&C engineers with perhaps 5- 
8 years of professional work experience. They contribute routine administrative and technical support (e.g., 
recording teleconference meeting minutes, providing logistics for the annual face-to-face meeting, updating the 
TDT’s internal website, etc.) while at the same time benefiting from the mentoring experience of working with the 
other TDT members. The technical support group, by virtue of their role on the TDT, has exposure to a wide range 
of GN&C problem from across NASA as well as the opportunity to witness first hand the problem solving skills of 
some the Agency’s senior GN&C engineers. This has turned out to be a win-win situation that both benefit the 
operation of the TDT and the technical support group personnel. 

In closing this section of the paper there are some general observations that should be made regarding the 
multiple benefits of serving as a TDT member. Working as a member of an NESC TDT clearly offers challenging 
opportunities. Members of the TDT interact with the best of the best in NASA, industry, academia and other 
government agencies to address a broad spectrum of discipline technical issues. TDT members also find that 
working within the NESC organizational structure permits an exposure to other NASA programs, projects, cultures, 
methods, and business practices from across the Agency. Typically this allows experiences to be gained outside 
one’s normal work area within a single NASA Center organization. The experience should broaden one’s horizons 
via the wide network of job-related interactions. There will be technically challenging and diverse assignments of a 
high impact/high feedback/high visibility nature. Serving on a TDT provides an avenue for both professional growth 
and positive recognition, not only within the discipline Community of Practice but also within the NESC’s customer 
and stakeholder community. The overall TDT experience is one that should provide motivated, tenacious and 
intellectually curious team members with a very high degree of job satisfaction. 
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IV. Experiences of the NESC GN&C TDT 


The GN&C TDT has engaged in multiple NESC assessments, consultations and reviews over the last three and 
half years since the NESC became an operational organization in November of 2003. In this section several of these 
experiences will be highlighted. These experiences were selected to illustrate the wide variety of work the GN&C 
TDT engages in. The reader will see that the GN&C TDT supported both human space flight projects and robotic 
spacecraft projects. The time durations over which the work was performed varied from durations of a few weeks to 
a month or two for the smaller scale quick-reaction peer review tasks to durations of several months to over a year 
for larger scale efforts. In cases where the task was primarily focused on a specific GN&C discipline issue, the 
work was performed exclusively by the NASA Technical Fellow for GN&C and/or small contingents of GN&C 
TDT members. In other cases that required a more multi-disciplinary approach the GN&C TDT members supported 
the task as part of a larger, integrated NESC team effort under the direction and leadership of an NESC Project 
Engineer. As with the majority of NESC endeavors, experts from virtually all NASA Centers, other government 
agencies, national laboratories, academia, and industry were involved in conducting these activities. NESC reports 
can be found on the public website at http://www.nasa.gov/offices/nesc/reports/index.html 


A. Cassini Saturn Orbit Insertion Assessment 



Figure 1. Artist’s Illustration of the 
Cassini Saturn Orbit Insertion (SOI) 


In 2004, NESC GN&C TDT members, along with other 
NESC staff with expertise in Systems Engineering, and 
Propulsion, supported the Cassini Critical Events Readiness 
Review and subsequent meetings that led to the Saturn Orbit 
Insertion (SOI) maneuver. 

While the team agreed that the project was well prepared for 
the SOI maneuver (Fig. 1), the NESC and Cassini Project Team 
boards identified several items that needed to be addressed prior 
to SOI. The consultants expressed concerns over the SOI fault 
protection logic and recommended that an independent review 
team pore through this logic to ensure robustness. They also 
recommended hiring a dedicated lead for the Operations 
Readiness Team to improve operations simulations and 
contingency planning prior to SOI. 


B. Cloud-Aerosol LIDAR and Infrared Pathfinder Satellite Observation (CALIPSO) Assessment 

The Cloud-Aerosol LIDAR and Infrared Pathfinder Satellite Observation (CALIPSO) spacecraft is a joint 
science mission among the French Centre National d’Etudes Spatiales (CNES), Langley Research Center, and 
Goddard Space Flight Center. In 2004 concerns raised about the hydrazine-fueled spacecraft propulsion bus led to 
the NESC providing a review of the bus design and an assessment of the potential for personnel exposure to 
hydrazine propellant. Members of the GN&C TDT supported this multi-disciplinary assessment activity over a 
period of several months in 2004. 

During the NESC review of the propulsion bus design, it became evident that concerns about early design 
decisions were still prevalent, even though the bus assembly was already complete. Contributing to these lingering 
concerns were the different interpretations by each organization involved of an ambiguous requirement for fault 
tolerance. Following assessment, the NESC issued a final report outlining eleven specific requirements for the 
CALIPSO Project to address in order to ensure the risk to personnel is acceptable (Reference 1). 

Three major Lessons Learned that emerged from the CALIPSO assessment. First and foremost NASA must 
establish unambiguous requirements for fault tolerance. Secondly, in a project’s design phase, a thorough risk 
assessment must be performed to ensure the final design presents the overall minimum risk to personnel, the 
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mission, and the environment. While current NASA policy does require a risk assessment, it is important that an 
assessment consider potential hazards through the project’s entire life cycle, including ground processing and 
integration. Lastly, at the beginning of a project involving outside partners, NASA must clearly define and document 
its expectations, including the standards, specifications, and processes that should be followed by all parties. 

The CAL1PSO satellite mission was subsequently launched on a Boeing Delta II rocket from Vandenberg Air 
Force Base on April 28, 2006 and has operated successfully. 

C. Genesis Project Reviews and Mishap Investigation Board Support 

On 8 August 2001 NASA launched the Genesis Sample Return mission with the scientific goal of sending a 
spacecraft beyond the influence of Earth to collect pristine material from the solar wind and to then return these 
samples to Earth for analysis of its elemental and isotopic abundances. 

Several GN&C TDT members participated in the Genesis Systems Risk Review and two Critical Events Risk 
Reviews prior to the reentry of the Genesis Sample Return Capsule (Fig. 2). They provided guidance to the Genesis 
team that proved invaluable during the entry operations. In particular, the NESC members’ recommendation was to 
develop a more stringent reentry contingency plan which put the Genesis team in a state of better preparedness for 
the unfortunate events that were to come. 

The parachute system failed to deploy 
when the Genesis Sample Return Capsule 
returned to Earth on September 8, 2004. The 
NESC GN&C TDT directly supported the 
conduct of the NASA Mishap Investigation 
Board (MIB) investigation into the cause of 
unexpectedly hard landing of the Genesis 
Sample Return Capsule. The proximate cause 
of the Genesis mishap was determined by the 
MIB to be that gravity-switch sensors were 
reversed in orientation by design. These 
gravity-switches were to sense the braking 
caused by the high-speed entry of the Genesis 
capsule into the Earth’s atmosphere, and then 
initiate the timing sequence leading to 
deployment of the vehicle's drogue parachute 
and parafoil. However, because these mission 
critical GN&C sensors were reversed in 
orientation the actual aerodynamic braking 
force direction was in the opposite direction of 
Figure 2. Genesis Sample Return Capsule the acceleration vector required for the gravity- 

switch to properly function and trigger the 
parachute deployment. 

The Genesis MIB determined that among the root causes of the Genesis mishap were an inadequate Systems 
Engineering process and an inappropriate confidence in the gravity-switch heritage design. Furthermore, the MIB 
noted deficiencies in the following four pre-launch, top-level processes resulted in the incident, each involving 
multiple root causes and contributing factors: 1) the design process inverted the gravity-switch sensor design, 2) the 
design review process did not detect the design error, 3) the verification process did not detect the design error, and 
4) the Red Team review process did not uncover the failure in the verification process. The investigation board also 
noted that the gravity-switch sensors were not identified as having a critical alignment in the Genesis Project’s 
Pointing and Alignment Document (Phasing Plan) and that there was a failure to adhere to the ‘test as you fly’ 
approach. 

The unexpected hard landing of the Genesis Sample Return Capsule required the activation of landing site 
contingency procedures that the NESC review team had stressed during the review process prior to reentry. Other 
NESC findings from these reviews helped produce more robust nominal and contingency operations procedures. 
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These procedures enabled the team to clearly describe how navigation predictions related to expected vehicle 
landing sites. 

D. Space Shuttle Reaction Jet Driver Assessment 

Four avionics boxes on each Space Shuttle Orbiter, known as Reaction Jet Drivers (RJDs), control the firing of 
six vernier and thirty-eight primary Reaction Control Subsystem (RCS) thrusters used to maneuver the vehicle (Fig. 
3). A failed-on primary thruster for as little as two seconds during mated operations with the International Space 
Station (ISS) could be catastrophic. The zero-fault tolerant RJD circuit design violates Space Shuttle Program (SSP) 
requirements for a two-fault tolerance of critical systems. In addition, new failure mechanisms, such as age 
degradation and latent manufacturing defects, were identified during the assessment. Whereas some transistors and 
wires in the Orbiter fleet are over 25 years old, no data existed on aging effects and no known test was available to 
assess age degradation of the Space Shuttle’s wiring. Potential age degradation of RJD transistors and wiring were 
unknown. A multi-disciplinary NESC team, with GN&C TDT participation, conducted extensive reviews, analyses, 
tests, and inspections to determine the RJD inadvertent firing risk. The testing of flown RJD transistors revealed no 
age concerns, and a modified box-level health check was instituted. 



Figure 3. The Shuttle Orbiter Docked to the International Space Station, with External (lower insert) and 
Internal (upper insert) Views of the Reaction Jet Drivers (RJD) Avionics Box 

Several noteworthy lessons learned came out of this NESC assessment (Reference 2). Adequate screens for 
aging and/or degradation should be performed when extending spacecraft components beyond their original design 
life. The effects of aging, operation, and environmental exposure should be factored into expected operational life of 
new vehicle designs. Reliability prediction methods should include aging effects. Programs, such as the SSP and the 
ISS Programs, that share physical interfaces, and therefore risks, should ensure that responsibility for integrated 
hazards is clearly defined and that the system requires periodic reviews of these hazard reports. 
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E. HST System Health Assessment 


Since its launch in 1990, the Hubble Space Telescope (HST) has become one of the most important instruments 
in the history of astronomy. In July of 2004 NASA Headquarters solicited support from the NESC to evaluate the 
HST (Fig. 4) long-term health prospects. This NESC consultation was one component of an Agency decision on the 
viability of extending HST life through a robotic servicing mission. At that time a new robotic servicing mission 
concept was being studied at Goddard Space Flight Center (GSFC) as an alternative to Shuttle Orbiter-based 
servicing of the HST. A multi-discipline review team of knowledgeable technical specialists, including members of 
the GN&C TDT, was convened to analyze the current and anticipated state of spacecraft subsystems and the 
parameters that describe the HST health to determine the timeliness of a robotic servicing mission. The NESC team 
also was charged with evaluating whether this type of servicing mission was likely to provide the capability needed 
to extend the useful scientific life of the HST by five years. 

By design and circumstances of limited time, the approach was concurrent discipline-based with selective 
subsystem penetration accomplished in an audit-like manner. This assessment method enabled rapid review of the 
diverse and formidable quantity of HST Program information, while allowing the identification of systemic as well 
as isolated system characteristics. No specific attempt was made at independent verification of trending information, 
mathematical models, or performance parameters. 

The NESC team examined numerous HST Program reports and briefings, and the findings from the Independent 
Program Assessment Office (IP AO) and the Aerospace Corporation’s Analysis of Alternatives (AOA) as they 
related to the degradation of the HST’s health. The NESC team also examined the state of HST subsystems that will 
not be serviced under the GSFC baseline concept including, but not limited to, the Fine Guidance Sensor (FGS) 
system. The review of the IPAO and AOA documents was supplemented with a significant quantity of HST-related 
reports, presentations, and other applicable references. In addition, extensive technical discussions were held with 
the HST Program liaison, numerous HST Operations, Flight Systems Engineering, Systems Management personnel 
and team technical peers. 

After a thorough review of the information examined 
and the technical discussions held, the NESC review team 
concluded there was a high likelihood of having a viable 
HST vehicle available for a robotic servicing mission 
(Reference 3). The NESC’s HST system health evaluation 
also identified several subsystems that required further 
examination for potential life reduction impacts and made 
several recommendations regarding the proposed robotic 
servicing mission manifest. These recommendations were 
provided to support management decisions leading to an 
optimum SM manifest that would extend the science 
service life to the greatest extent. The NESC review team 
concluded that following successful equipment and 
instrument replacement during an optimized robotic 
servicing mission, the potential for at least five additional 
years of science discovery was very good. 

The NESC review team cited the decreasing capacity of the HST’s nickel-hydrogen batteries as the principal 
factor in the overall observatory life projections prior to a servicing mission. The team also identified both the Rate 
Sensor Unit (RSU) Gyroscopes and the FGS) components as having performance issues that required additional 
emphasis by the HST Program Office. 

Three FGSs on HST provide precise fine-pointing telescope adjustments by tracking guide stars at sub-arcsecond 
levels. Only two functioning FGSs are required for nominal science operations. After reviewing the available data 
the NESC team was concerned with the performance of FGS 2R and FGS 3. At the time of the NESC review the 
effectiveness of the FGS-2R unit was decreasing as a result of a servo-loop gain issue that was attributed (in a “most 



likely” sense) to an anomalous Light Emitting Diode (LED). Also, it was observed that the FGS-3 unit had 
significant bearing performance issues that required higher motor torques to overcome, and it was being used 
sparingly to preserve remaining life. 

Life predictions for adequate FGS control varied, but appeared to provide sufficient margin to the projected 
robotic servicing mission then planned for 2008, but not enough margin to attain the planned end-of-life in 2013. 
Replacement of the FGSs was planned as part of the Shuttle Orbiter-based servicing mission, but was not in the 
baseline GSFC robotic servicing mission plans. The NESC review team recommended the augmentation of GSFC 
baseline robotic servicing mission manifest to include replacement of at least one of the FIST’s FGS units. 

The NESC team also favorably recognized the FIST Program’s foresight in maintaining skilled operations and 
sustaining engineering experts capable of observing subtle performance changes, in generating inventive operational 
work-arounds and in preparing multilevel contingency plans. The HST Program’s commitment to retain engineering 
units and test facilities enabled verification of proposed enhancements and proved invaluable in demonstrating the 
robotic servicing concept. 

F. DART Mishap Investigation Board Technical Support 

On April 15, 2005, the Demonstration of Autonomous Rendezvous Technologies (DART) spacecraft was 
launched from the Western Test Range at Vandenberg Air Force Base, California. DART was designed to 

rendezvous with, and perform a variety 
of maneuvers in close proximity to, the 
Multiple Paths, Beyond-Line-of-Sight 
Communications (MUBLCOM) satellite, 
without assistance (autonomously) from 
ground personnel (Fig. 5). The DART 
spacecraft performed as planned during 
the launch, early orbit, and rendezvous 
phases of the mission, accomplishing all 
objectives up to that time, even though 
ground operations personnel noticed 
anomalies with the navigation system. 
During proximity operations, however, 
the spacecraft began using much more 
propellant than expected. Approximately 
1 1 hours into what was supposed to be a 
24-hour mission, DART detected that its 
propellant supply was nearly depleted, 
and it began a series of departure 
maneuvers. Although it was not known at 
the time, DART had actually collided 
with MUBLCOM a few minutes before 
initiating its departure (see Reference 4). 

Because DART failed to achieve its main mission objectives, NASA/Headquarters (HQ) declared the mission a 
“Type A” Mishap, and convened a Mishap Investigation Board (MIB) to perform a detailed level of investigation. 
On April 18, 2005, the HQ Office of Safety and Mission Assurance Officer, requested quick-reaction support from 
the NESC to provide individuals with the appropriate technical expertise to serve on the DART MIB. This was a 
stressful test of the agility of the NESC TDT organizational approach. Less than 24-hours later a highly qualified 
rendezvous navigation specialist from the NESC’s GN&C TDT was identified to support the DART mishap 
investigation. This individual provided the necessary program-independent rendezvous and navigation engineering 
expertise needed by the DART MIB to complete its assignment. 

Approximately five (5) months later on September 21, 2005 the MIB’s final report was submitted. The MIB’s 
final report clearly identified and explained the causes of the DART mishap and provides a comprehensive set of 



Figure 5. Artist’s Illustration of DART Spacecraft’s Rendezvous 
with the MUBLCOM Satellite 
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findings and recommendations. Given the completeness and adequacy of the DART MIB’s final report in 
identifying and explaining the causes of the mishap, the NESC GN&C TDT did not perform any follow-on 
independent analysis and test regarding the DART mishap. NESC did however support the follow-on dissemination 
of the DART M1B final report’s findings and recommendations within the NASA GN&C Community of Practice 
and with other government agencies (e.g., the Defense Advanced Research Project Agency, DARPA) and industry. 


G. Orbiter Repair Maneuver (ORM) Peer Review 

In June of 2004 NESC conducted an independent peer review of the Space Shuttle Orbiter Repair Maneuver 
(ORM). This maneuver, which involved both the Shuttle Orbiter vehicle and the International Space Station (ISS), 
was conceptualized, designed and developed by the multi-discipline ORM Working Group (WG) at NASA’s 
Johnson Space Center (JSC). The ORM was to be a contingency operation that would allow the repair of entry- 
critical Thermal Protection System (TPS) tiles and reinforced carbon-carbon damage at locations that cannot be 
reached, by either the Shuttle Remote Manipulator System (SRMS) or the Space Station Remote Manipulator 
System (SSRMS), when the Orbiter is docked to the ISS. 



Figure 6a. Computer-generated depiction of the Shuttle Orbiter (Attached to the ISS by the SRMS) at the 

ORM Overnight Park Position 

The ORM (also referred to as the Orbiter “Flip” maneuver) was intended to undock and position the Orbiter such 
that nearly 100 percent of the TPS tile would be within reach of an extravehicular activity (EVA) astronaut 
positioned on the ISS’s robotic arm. The ORM was a contingency operation involving close proximity movements 
of SSP and ISS structure with limited back-out opportunities and reduced crew visibility. In the NESC’s view there 
was also a high potential for adverse Control-Structure Interactions (CSI) possibly resulting in large or unstable 
relative motion between the Orbiter and the EVA astronaut at the repair worksite. 


10 


The ORM was a complex contingency operation that could not be fully validated on the ground prior to first use. 
Moreover the ORM was a “first of a kind” operation whose execution would require both the flight hardware and 
the crew to operate in a non-standard manner that is significantly outside the nominal operational experience regime. 
If invoked, the ORM would be the first SRMS “Heavy Payload” operation and would also be the first use of the 
SRMS for undocking the Orbiter from the ISS. The heaviest SRMS payload to date has been the Functional Energy 
Block (known as FGB), which had a mass of approximately 48,000 pounds. NESC also noted that SRMS-assisted 
docking operations have not been done since STS-88/2A, which was the first ISS assembly mission, in 1998. 



Figure 6b. Computer-generated depiction of the Shuttle Orbiter (Attached to the ISS by the SRMS) at the 

ORM Repair Park Position 


Lastly, it was observed by the NESC peer review team that the ORM was a dynamically and operationally 
complex, untested, and hazardous human/robotic contingency operation that, end-to-end, required a total of three 
days to execute. It entailed first undocking the Orbiter from the ISS, then maneuvering of the Orbiter along a 
prescribed trajectory defined by a series of waypoints, one of which was an interim “overnight park” position (see 
Fig. 6a). Subsequently the Orbiter would be maneuvered, via the SRMS, from the overnight park position to the 
desired repair park position (Fig. 6b). The ISS would be under Thruster-based attitude hold control during the 
periods of Orbiter maneuvering between ORM waypoints. At this point in the ORM operational scenario the 
technical challenge shifted to providing a sufficiently stable repair worksite environment, with the ISS under CMG- 
based momentum management control, to permit the required TPS repair by EVA astronauts positioned on the 
SSRMS affixed to ISS (Fig. 6c). The potential for undesirable Orbiter/EVA astronaut dynamic interaction (i.e., 
relative motion) while at the repair worksite was noted by both the ORM WG and the NESC review team. Once the 
repair EVA operations were completed the SRMS would maneuver and redock Orbiter to the ISS. 
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Figure 6c. Computer-generated depiction of the Orbiter (Attached to the ISS by the SRMS) at the ORM 
Repair Park Position, with the EVA Astronaut shown at the end of the SSRMS Robotic Arm. 


The fundamental motivation for the ORM peer review was derived from NESC’s concern that ORM represented 
new and unfamiliar operations that were complex and posed risks (both known and unknown) to the crew and flight 
systems. The NESC team’s approach to performing this ORM peer review was twofold. The team first reviewed the 
ORM from a “big picture” systems-level viewpoint to determine, to the extent a short duration review such as this 
would permit, if the ORM Working Group had missed any key aspects of the problem. The team then investigated a 
few key technical areas, in an audit-line manner, to evaluate the depth and completeness of some of the ORM WG’s 
analysis, modeling and simulation work. 

The primary NESC review objective was to assess the status, depth, and completeness of the pre-Return-To- 
Flight ORM dynamic modeling, simulation, and analysis work, as well as to assess the overall operational readiness 
of the ORM. NESC found that while a significant amount of analysis had already been performed, some critical 
open work remained for the ORM Working Group and a number of these tasks would need to be completed prior to 
safely invoking the ORM as a viable on-orbit contingency. NESC provided additional recommendations that needed 
to be addressed prior to the first use of the ORM. In particular, NESC provided specific recommendations primarily 
focused on re-validating the stability robustness and rate damping performance of the ISS attitude control system 
used during the ORM. The NESC also recommended that an independent validation of the ORM integrated, multi- 
body end-to-end dynamic software simulation be completed prior to first on-orbit use of the ORM. 

An interesting aspect of the ORM peer review process was the cross-Center diversity of the NESC team 
composition. Team members were able to engage in a very detailed and productive GN&C discipline -based 
technical dialogue coming from two very distinct sets of operational viewpoints and spacecraft engineering 
experiences - that of Robotic Spacecraft control system designers and that of Human Space Flight control system 
designers. The diversity of both technical experiences and design guidelines helped NESC to draw out and focus on 
the critical issues, such as low phase stability margins in the ISS controller under certain operational conditions. 
Very spirited discussions about the degree to which the results obtained from the linear and the non-linear dynamic 
models should agree transpired. This led to the ORM WG going back and doing a detailed reexamination and 
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comparison between their models. This had a positive result of providing data that added a significant level of 
confidence that there would be adequate ISS controller stability during a contingency ORM maneuver should it need 
to be performed on-orbit. 

Thus a key Lesson Learned from the ORM peer review experience is the need for an early analytical crosschecks 
in the assessment of control system stability. In particular, the demonstration of a high-degree of correlation and 
agreement between linear and non-linear dynamic modeling results is a critically important GN&C engineering best 
practice. This approach must be coupled with a clear and straightforward technical rationale, based upon an in-depth 
physical understanding of the system’s dynamics, to adequately reconcile significant deviations between linear and 
non-linear control system stability results. 

H. CLV Design Peer Review 

The Crew Launch Vehicle (CLV) Project is a cornerstone to implementing the Agency’s plans for future 
exploration. The initial baseline CLV vehicle configuration (Fig. 7) was identified in the Exploration Systems 
Architecture Study (ESAS). However, this baseline concept required revision to meet updated system requirements 
that extended the total height by approximately 22.5 feet. The change primarily involved alterations in the upper 
stage that consisted of a combination of increases in the oxidizer and fuel tank length and the insertion of a forward 
skirt to the first stage. In January of 2006 the CLV Project Office (CLVPO) requested NESC’s technical support in 
determining if the proposed length increase has any known first order design barriers or limits that require resolution 
prior to the investment of considerable workforce and computational resources 

In response to this request a multi-disciplinary team of NESC technical specialists was formed, which included 
members of the GN&C TDT, to conduct this peer review of the CLV design. The team’s review process was divided 
into three phases, all associated with the identification of CLV design parameters that potentially could preclude or 
jeopardize the proposed lengthening of the CLV. The three phases planned were Design Guidelines (“Rules of 
Thumb”), Structural/GN&C Analysis Review, and Design Trade Assessment. The first phase was to identify the 
appropriate first order structural and GN&C design guidelines from historical and discipline reference information 
and other applicable design experience. The second phase was to make use of CLV vehicle baseline information 
and the updated structural models provided by the CLVPO, in conjunction with design guidelines identified in the 
previous task to identify any barriers or limits to the continuation of the lengthened design. The final phase was to 
conduct a historically based review of launch vehicle designs that could be used to benchmark the baseline and 
updated CLV design concept. This review located both operational successes and failures that could serve as 
benchmarks for the maturing CLV design. The scope was narrowly focused on the primary efforts to identify design 
barriers that could prevent or delay the convergence of a viable design configuration of the CLV. 

However, shortly after this NESC assessment was initiated, the decision was made to transition the development 
of the five-segment Reusable Solid Rocket Motor (RSRM) into the base CLV Project and replace the propulsion 
package of the second stage from the Space Shuttle Main Engine (SSME) to a derivative of the Apollo J2 engine 
designated as the J-2X. Since no models of the five-segment/J-2X design were readily available, these significant 
modifications of the ESAS initial baseline vehicle configuration precluded the NESC review team form performing 
detailed structural and control analyses. In the face of this development it was agreed by the CLVPO that the NESC 
review should continue but only with the completion of the Design Guidelines and Design Trade Assessment tasks. 
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Figure 7. Artist’s Illustration of the Crew Launch Vehicle (CLV) 


The assessment identified first order structural and GN&C design guidelines from historical and discipline 
reference information and other applicable design experience. These design principals were evaluated against the 
ESAS baseline configuration, primarily at the maximum aerodynamic pressure conditions, in an effort to identify 
any design barriers. This design configuration was evaluated since existing models were available and any issues 
identified would most probably be a concern for any concept with a greater total vehicle height. 

The results of the NESC assessment did not reveal any vehicle “physical barriers” at the current maturity of the 
CLV design that would prohibit the structural or control viability of the proposed five-segment/J-2X concept. 
However, a number of CLV design watch topics were identified that include several vehicle control and SRB 
structural limits (ground processing and flight loading) and require investigation to determine their criticality. 

A key lesson learned from this CLV design peer review process was that proactive requests seeking independent 
technical review during the preliminary concept phases are invaluable risk mitigation initiatives at identifying 
critical design limitations. The recognition of configuration issues at the earliest opportunity in the design 
development vastly improves the likelihood of meeting mission objectives. 


I. CEV Smart Buyer Team Support 

The NESC has been increasingly involved in supporting the Constellation Program’s Crew Exploration Vehicle 
(CEV) Project. In January 2006, a CEV Smart Buyer (CEVSB) team was formed at the request of the NASA 
Administrator. The CEVSB team’s charter was to formulate an innovative in-house CEV design to be used by the 
CEV Project, to assess the driving requirements and to provide alternatives to the requirements. Secondary goals 
were to demonstrate the Agency’s capability to conduct a multi-Center in-house design effort, gather lessons-leamed 
for this capability, and provide an opportunity for young engineers to gain design experience. 

The NESC organizational structure was used to rapidly assemble and manage a diverse team consisting of over 
200 members with representation from each of NASA’s 10 Centers, Headquarters and industry. Several members of 
the GN&C TDT supported this CEVSB activity. 
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One of the key trade studies performed by the CEVSB team was a consideration of integrated Avionics, Power, 
Communications, Guidance Navigation and Control (GN&C), Command and Data Handling (C&DH), Software, 
and Thermal CEV spacecraft subsystems. Several GN&C reference designs were considered. A simple zero-fault 
tolerant single string GN&C design which, although it would never be actually selected for a human rated spacecraft 
application, was initially explored as a stepping stone to more complex (as well as physically larger, more massive 
and higher power consuming) multi-string, fault tolerant GN&C designs. Understanding the single string design 
helped the team ascertain whether a minimalist (“bare bones”) design was a viable closed-form one that could meet 
the key mass, power and volumetric constraints. 

The CEVSB team clearly recognized that the up-front “architecting-in” of robustness and reliability must be an 
integral part of the early steps of the GN&C Systems Engineering process. The selected architecture will directly 
influence the physical complexity, functional behavior, and performance of the GN&C subsystem, along with the 
related properties of crew safety, robustness, operational complexity, affordability, adaptability, flexibility, and 
scalability. Furthermore, provisions should always be included in a spacecraft’s GN&C system architecture to 
provide a “never give up” GN&C backup capability that keeps the crew safe if the primary systems fail or become 
temporarily unavailable. 

With these high-level architectural principles in mind it is insightful to review here one relevant aspect of the 
CEVSB effort - the inclusion of a simple, robust and reliable backup flight control system in the CEVSB vehicle’s 
GN&C system architecture. To begin with the three-string avionics approach employed by the CEVSB team directly 
supported two levels of fault-tolerance for crew critical operations. An independent and dissimilar Safehold and 
Manual System (SAMS) was then also designed into the CEVSB vehicle architecture to provide a simple vehicle 
attitude and translation control capability in the event of a primary system failure The SAMS design had its own 

independent and dissimilar 4tt steradian coarse Sun sensors, gyros, and accelerometers. These sensors would be 
used for input to the safemode controller to orient the vehicle, thereby keeping the solar array pointing towards the 
Sun to ensure a power positive attitude. The CEVSB team also designed SAMS to have its own independent battery 
for power and its own crew interface from the hand controllers and display. The operational premise was, when 
using SAMS, only essential information would be displayed (rates, acceleration, fuel level, etc.) to the crew. A 
minimal set of thrusters would be controllable via pilot input through the SAMS crew interface. Thus the SAMS 
allowed for manual piloting of the CEV by providing an independent path for thruster flight control functionality in 
the event that all three primary strings had failed. The most fundamental point to observe here is that in the minds of 
the CEVSB team the SAMS provided that simple and reliable “never give up” type of backup flight control 
capability that is fundamentally needed to ensure the safe return of the crew to Earth in the event of the loss of the 
primary GN&C system. 

The intense 8-week effort of the CEVSB team produced not only a detailed design, but also demonstrated that 
NASA has the in-house capability to perform a multi-Center, integrated design. The NESC is now engaged in 
numerous assessments that have grown out of the Smart Buyer activity such as the Composite Crew Module and the 
Alternate Launch Abort System feasibility studies. The final deliverables of the CEVSB effort include this final 
report, as well as: engineering drawings and models, analysis and test reports, trade studies results, and an 
explanation of deviations from the baseline. 

J. ISS Control Moment Gyro Failure Root Cause Assessment 

The International Space Station (ISS) uses four dual-gimbal Control Moment Gyros (CMGs) mounted on the Z1 
truss for long-term non-propulsive attitude control (Fig. 8). When gimbaled at the maximum rate of 3.1 degrees per 
second an ISS CMG can develop approximately 250 N-m of control torque. The set of four CMG’s was initially 
activated on February 12, 2001. After operating nominally for 1.3 years, the ISS CMG-1 resolver-side ball bearing 
failed on June 8, 2002. An ISS Root Cause Investigation Team (RCIT) was formed by the ISS Program in an 
attempt to understand the failure at that time. During the STS-1 14 Return to Flight (RTF) mission, the Orbiter 
Discovery flew a replacement CMG to the ISS and returned the failed CMG-1 unit to Earth for failure analysis. 

With the replacement of the failed CMG-1 on August 1, 2005, the ISS had at that time its full complement of four 
working CMGs restored. 
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A discussion of specific ISS orbital operational procedures for CMG-based attitude control is relevant to this 
GN&C-focused paper. It should be pointed out that after the failure of CMG-1 in June 2002, the use of CMGs for 
performing large ISS attitude maneuvers was curtailed. Prior to the CMG-1 failure the CMGs were being used for 
ISS attitude maneuvers. The ISS GN&C team determined that performing large attitude maneuvers with CMGs and 
multiple desaturations provided marginal benefit over purely propulsive attitude maneuvers using thrusters. 

However, an operational impact of not using CMGs for such large attitude maneuver was the need to transfer from 
United States (US) control to Russian thruster control. The ISS GN&C team solved this with the development of 
US Thruster-Only (USTO) control, which enabled control of Russian thrusters while under US control. Furthermore, 
at this juncture, stringent CMG operational constraints were developed and implemented in an effort to reduce CMG 
gimbal rates. The overall goal was to maximize the life of the remaining CMG flight hardware. Also, support of 
special operations was limited due to the ISS operational guidelines for avoiding CMG momentum desaturations and 
high gimbal rates. This prohibition on performing CMG desaturations reduced the US CMG capability to support 
ISS operations where high control torques were required, such as during Orbiter docking and robotic arm 
maneuvers. Given these constraints on how the CMG were to be operated, the reaction control thrusters of the 
Russian Segment (RS) were instead used to provide high control torques when needed. 

After the failed CMG-1 unit was returned to Earth, the ISS Program Manager reactivated the RCIT and 
requested the NESC’s involvement to investigate and analyze the root cause(s) of the CMG-1 failure. The ISS RCIT 
conducted a rigorous investigation of the failure, which included a systematic teardown and disassembly of the 
failed CMG, detailed study of the failed bearing components, metrology of the non-failed bearing and the inner 
gimbal structure, thermal effects on bearing alignment, structural capability of the retainer, and condition of the 
lubrication system. 

The NESC team reviewed the telemetry data from the failure event and other relevant operational data on the 
CMGs; reviewed and concurred on the RCIT disassembly procedures; reviewed RCIT inspection and test results and 
fault tree; reviewed CMG design; inspected/requested inspection of key components; and supported and consulted 
with the ISS GN&C Super Problem Resolution Team (SPRT) as well as the ISS RCIT. 

The NESC team’s findings, observations, and recommendations were derived from two primary sources: 1) the 
data and test results generated by the thorough ISS RCIT investigation and, 2) a detailed dynamic bearing analysis 
using a specialized software tool. The NESC analysis evaluated the possibility of excessive retainer forces and the 
effect of race out-of-roundness. These supporting analyses strengthened the argument that failure of the CMG-1 
bearing preload system was the most probable cause of failure. 

The NESC team concluded that although the analysis of existing data did not permit a single root cause to be 
positively determined, the most probable cause of the CMG-1 failure was loss of bearing preload due to binding of 
the outer race or races, stick-slip of the pre-load spring, and misalignment resulting from out-of-flat gimbal covers 
and the transient thermal conditions. Other possible root causes or contributors that were investigated by the NESC 
team, but were judged to be less likely, included the following: 1) retainer resonance and failure, 2) excess lubricant, 
3) lubricant starvation or loss of elastohydrodynamic film, 4) degraded or improper lubricant, 5) metal fatigue, and 
6) excessive preload. 

The NESC team developed a total of 20 recommendations in three general categories: bearing system design (11 
recommendations), safety (1 recommendation), and ISS orbital operational procedures related to CMG-based 
attitude control (8 recommendations). NESC recommended a series of operational changes intended to improve the 
capability of the ISS engineering team to track CMG performance, identify problems, and maximize the usable 
lifetime of the ISS units already on-orbit. All of the NESC team’s findings, observations, and recommendations 
were shared with the ISS G&NC System Manager. The results of the NESC team’s findings, observations, and 
recommendations were informally discussed with the ISS RCIT throughout the investigation. 

One recommendation was for the ISS flight operations team to carefully monitor the vibration levels, spin motor 
commanded currents, and spin bearing temperatures of all CMGs and that they be prepared to take appropriate 
action to properly manage any future occurrence of a “distressed” CMG. NESC concurred with the CMG vendor’s 
recommendation to do additional periodic drag torque characterizations tests on all CMG’s to generate new data for 
the performance trend database. 
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Also, given that recovering some capability to perform CMG desaturations would provide ISS operational 
advantages, NESC recommended that that ISS Program consider CMG desaturations testing at gimbal rates well 
below the maximum 3.1 degrees per second limit. The NESC recommended a risk/benefit trade be done to study the 
technical issues of performing a carefully controlled on-orbit CMG desaturation test at a low gimbal rate (e.g., < 1 
degree per second). 

It was furthermore recommended by the NESC that a series of material and process changes be applied to the 
spare ISS CMG and the rebuild of CMG-1. The NESC team also recommended that a stress analysis of the CMG 
rotor be performed to show margin under dynamic loads resulting from a failed bearing. 

The NESC team did note that the ISS GN&C team has been quite adept in creating operational workarounds 
(e.g. the development of the USTO attitude control scheme mentioned above) to cope with the existing CMG 
performance constraints and to, therefore, avoid stressing the CMG hardware. However, these workarounds have 
come at the cost of additional resources for attitude controller analysis/re-design, increased commanding, 
operational timeline impacts, and increased consumption of RS thruster propellant. 

The NESC team also favorably observed that the ISS GN&C team had thoughtfully refined its CMG operational 
philosophy to accommodate the higher momentum buildups produced in between planned ISS assembly stages 
when the vehicle would orbit in asymmetric structural configurations. A large number of beneficial GN&C Pre- 
Positioned Load (PPL) and flight software modifications that would allow the necessary operational capabilities to 
be maintained in the face of the CMG constraints were identified and analytically investigated by the ISS GN&C 
team. The NESC team did not perform a detailed study of the specifically-proposed GN&C system change options 
but, from a cursory review, it appeared that they provided a reasonable technical balance between the extent of 
system changes, the operational complexity and the CMG constraints versus performance trade. 



Figure 8. ISS CMG-1 through CMG-4 Mounted in the ISS Z1 Truss with Shroud Removed. 
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K. Proactive GN&C Systems Commonality Study 


Since its inception the NESC has performed several proactive engineering activities as a natural complement to 
its reactive consultations, reviews and assessments. NESC senior management periodically selects specific 
discipline-unique proactive work tasks that have been identified by the Technical Fellows and their TDTs. 

Recently, in April of 2007, an NESC-sponsored GN&C-related proactive study activity was initiated at the 
Massachusetts Institute of Technology (MIT). The primary objective of this study is to assess the potential for 
GN&C system commonality across the emerging new generation of space vehicles that will be designed and built 
for the exploration of the Moon and Mars. This study effort was driven by the observation both on the part of NESC 
and MIT that GN&C systems for exploration prominently stand out, among all the future spacecraft systems, as an 
area wherein commonality might be of greatest technical and programmatic benefit. NASA's Constellation Program 
(CxP) will acquire and operate a number of new human-rated systems such as the Orion Crew Exploration Vehicle 
(CEV), the Ares-I Crew Launch Vehicle (CLV), and the Lunar Surface Access Module (LSAM), along with other 
elements for crew transportation functions (e.g., in-space propulsion stages) as well as for lunar habitation and 
mobility. There will also be lunar robotic orbiter vehicles and robotic lunar landers. Commonality between 
exploration system hardware and software elements offers the opportunity to significantly increase sustainability by 
reducing both non-recurring and recurring cost/risk. The potential benefit of common GN&C avionics and flight 
software is considerable, not only in the initial development effort, but in the verification and validation phase, and 
more importantly in the ongoing maintenance efforts and incremental upgrades that will occur over the life cycle of 
these spacecraft. With commonality of the onboard components of this system, there is more likelihood that ground 
control and communications systems could be made more common, yielding a multiplier effect. 

The technical assessment team will perform an independent, systematic and comprehensive 12-month study on 
the problem of optimizing GN&C architectures across a range of anticipated exploration space vehicles. The factors 
to be considered include crew safety, reliability, robustness, minimum complexity, commonality, testability, ease of 
operation, sustainability, extensibility and affordability. In the context of this NESC/MIT proactive study the term 
"GN&C Systems" has been broadly defined to constitute the inter-related flight system avionics, GN&C algorithms 
and flight software elements. This task will leverage analytical methods developed at MIT as part of their program 
in Technical System Architecture, as well as their specialized analysis tools/methods used to support, among other 
studies, the NASA Exploration Systems Mission Directorate (ESMD) Concept Exploration and Refinement (CE&R) 
study. 

A Study Steering Group, composed of the NASA Technical Fellows for GN&C, Avionics and Software along 
with members of the GN&C TDT core group, will provide periodic technical and management oversight of the MIT 
team’s progress against the planned set of study goals. 

The first phase of this study has been focused on performing a comparative assessment of GN&C system 
architectural characteristics for robotic spacecraft and human-rated spacecraft (see Reference 5). This comparative 
analysis of GN&C system architectures was undertaken to assess the driving factors for differentiation between 
robotic and human-rated spacecraft and it represents a fundamental step towards understanding the opportunities 
(and the limitations) of GN&C commonality across future exploration spaceflight elements. 


L. DDT&E Considerations for Human-Rated Spacecraft 

With the launch of the Constellation Program, NASA found itself with the opportunity to design the next 
generation of human-rated vehicles that will take astronaut crews to the Moon and beyond in the next two decades. 
While there are precedents for many aspects of the Design, Development, Test, and Evaluation (DDT&E) task at 
hand - the Apollo program, Space Transportation System (STS), International Space Station (ISS) and others - the 
Johnson Space Center (JSC) Astronaut Office asked the NESC for a fresh look at identifying and defining the 
fundamental first principles that should be considered during the early-on formative phase of the Constellation 
Program. 

As a result, in late 2005, a multi-disciplinary NESC team, which included several members of the GN&C TDT, 
set out to collect methodologies for how best to develop safe and reliable human-rated space systems and how to 
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identify the drivers that provide the basis for assessing safety and reliability. The team also identified techniques, 
methodologies, and best practices to assure that NASA can develop safe and reliable human rated systems. The 
results are drawn from a wide variety of resources, from experts involved with the space program since its inception 
to the best-practices espoused in contemporary engineering doctrine. This NESC assessment focused on safety and 
reliability considerations and did not attempt to duplicate, update or replace any existing references. Nor does it 
intend to replace existing standards and policy. 

All the NESC discipline-based TDTs were leveraged extensively to capture their Agency-wide experience, 
knowledge and best practices, particularly in methodologies and processes that drive spacecraft system safety and 
reliability. The NASA Technical Fellows and their TDTs provided discipline-unique perspectives on those aspects 
of the DDT&E process that are most critical or unique to their part of the spacecraft system to ensure safe and 
reliable design, based on the extensive experience of team members, accepted industry practice (including 
standards), and Lessons Learned from preceding missions. 

Each NASA Technical Fellow was asked to organize their TDT’s efforts on this assessment to address the 
following areas: 1) Interfaces within and outside their subsystem, 2) History relevant to reliability/robustness, 3) 
Architecture development and associated Trade Studies, along with evaluation criteria necessary to converge design, 
operations concept, and derived requirements, 4) DDT&E Best Practices. Each engineering discipline also included 
a list of indicators (factors by which an observer can judge whether a design is reliable and robust) as well as list of 
probing questions. 

The NESC GN&C TDT generated a set of twenty-two Best Practices for human-rated spacecraft GN&C system 
DDT&E. These twenty-two GN&C Best Practices are documented in detail in Reference 6 (see Volume II, Section 
7.5, GN&C Considerations) and are summarized in a highly condensed manner in Reference 7. These Best Practices 
address both the early and late phases of the overall DDT&E process. They cover a broad range from fundamental 
system architectural considerations to more specific aspects (e.g. mathematical modeling) of GN&C system design 
and development. 

The common objective of the GN&C TDT members on this task was to thoughtfully document useful guidance, 
in the form of these Best Practices and other considerations and criteria, related to the formulation, architecture, 
design, development and operation of GN&C systems for NASA's future human-rated spacecraft. The motivation 
was simple and sincere: provide practical information that engineers, managers and reviewers could use as an 
experience-based checklist that will increase design consistency, increase efficiency of the overall DDT&E effort, 
and most importantly, increase the confidence in the safety and reliability of the human-rated spacecraft's GN&C 
end product. Note that the GN&C Best Practice information contained in Reference 6 was intended to serve as 
tutorial-type guidance not only for newly hired engineers working on GN&C systems for perhaps the first time in 
their professional career but also for non-GN&C engineers seeking critical insights. It is anticipated that the NESC 
technical report (Reference 6) may also serve as a useful memory aid to the more experienced GN&C engineers (as 
well as their managers) who wish to revisit and consider these GN&C Best Practices in the context of a technical 
evaluation/review process. In Reference 8 the authors relate some of the NESC’s GN&C Best Practices to their 
industrial experiences, including their in-house Lessons Learned, in the design and development of GN&C 
subsystems for commercial and scientific spacecraft. 

Multiple sources were used to uncover and gather GN&C relevant information for this NESC assessment. The 
GN&C TDT members that conducted this work performed an all-source search and capture process from which 
emerged a set of common recurring GN&C Lessons Learned and associated best practices. Lessons on robustness, 
reliability, and fault tolerance issues were extracted from a historical review of the Apollo, International Space 
Station and the Space Shuttle Programs. The historical GN&C record of both manned and robotic missions was 
examined. Common GN&C mission success themes and elements were seen across human-rated and robotic 
spacecraft lines. The GN&C TDT found that the lessons learned from the large and diverse set robotic spaceflight 
missions could contribute to the Best Practices for crewed space system GN&C engineering. The team also noted 
common themes across NASA and DoD spacecraft lines as well as across industry and government organizational 
lines. 
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M. Phoenix Mars Lander Thruster-based Controllability Peer Review 

The planet Mars is a cold desert planet with no discernable liquid water on its surface. However discoveries 
made by the Mars Odyssey Orbiter in 2002 revealed large amounts of subsurface water ice in the northern arctic 
plain. The Phoenix Mars lander targets this circumpolar region. Mission plans call for Phoenix to use its robotic arm 
to dig through the protective top soil layer to find the water ice below and ultimately, to bring both soil and water ice 
into the lander’s platform for sophisticated scientific analysis. 

Named after the mythological bird, the Phoenix spacecraft was built from the remnants of its predecessors. 
Phoenix inherited its flight system from the JPL MS01 Project. It used many components of the spacecraft originally 
built for the 2001 Mars Lander, which was kept in storage after that mission was cancelled. The Phoenix Entry, 
Descent and Landing (EDL) system employs aeroshell braking, followed by parachute descent, and with a final 
“soft landing” under active thruster control. Specifically, the Phoenix Mars lander design uses 12 MR-107 pulse 
width modulated thrusters (each with a ~70 lbf thrust capability) for the powered descent and landing phase of its 
mission. The thrusters operate in a 10 Hertz closed loop mode to control lander attitude and velocity during 
approximately the last 25 seconds of the descent to the Martian surface. 

The Phoenix Project performed extended hot-fire testing (Fig. 9) to assess performance of the descent propulsion 
system and to also identify any potential structural interactions with the control system’s inertial measurement unit. 
The thrusters were exposed to from 200 percent to 800 percent of expected life during these hot fire tests. Some of 
the thrusters developed very small leaks by the end of the hot fire testing. The average thruster leak rate observed in 
the hot fire test environment was less than 1 percent of the maximum thruster flow rate. 

The NESC was requested by the JPL Chief Engineer to provide an independent consultation on the problem, the 
likely causes, and the Project’s plans for mitigation. Several members of both the NESC’s GN&C and Propulsion 
TDTs formed a small Independent Review Team (IRT) to perform this NESC consultation over a relatively short 
period of time leading up to the Phoenix Project System Critical Design Review (CDR). 



Figure 9. Phoenix Lander Hot Fire Thruster Testbed Prior to Testing (left) and During Testing (right) 

The NESC noted that the effort by the Project to identify the most probable cause of the thruster valve leak had 
been comprehensive and methodical. However, following several detailed technical discussions with the Project 
team, the NESC reviewers formulated recommendations for additional test and analysis to support the leakage root 
cause identification process. 
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The NESC reviewers also evaluated the performance of the landers’s GN&C system to safely deliver the vehicle 
to the surface of Mars in the face of various thruster leakage scenarios. The Project had implemented a 
comprehensive plan for investigating terminal descent control behavior. As part of this plan a Monte Carlo analysis 
was performed using a high fidelity 6-Degree of Freedom simulation of the Phoenix lander’s EDL dynamics and 
controls. In the multiple Monte Carlo simulations the individual thruster leak start times were randomized as were 
the thruster leak rates and the number of leaking thrusters. Detailed touchdown analyses were done to specifically 
evaluate the few violations of landing stability, loads and tilt. The leaky thruster analysis results showed little change 
in system performance. The Project’s results indicated, and the NESC concurred, that adequate margins exist in the 
thruster-based control system of the Phoenix lander during the powered descent and landing phase of its mission. 

The NESC team concluded that the Project had properly evaluated the risks, performed proper root cause 
analysis, and had a sufficiently robust GNC design to accommodate any reasonable leakage scenarios. More 
specifically, the NESC found that absent a definitive root cause, there was reasonable evidence of limited valve 
degradation behavior. 



Figure 10. Artist’s Illustration of Phoenix Soft Landing Under Active Thruster Control 


The Phoenix spacecraft was successfully launched on August 4, 2007 bound for a May 25, 2008 touchdown at a 
targeted location that is farther north than any previous Mars landing. Once it has safely landed Phoenix will 
robotically dig to find underground ice and run laboratory tests assessing whether the site could ever have been 
hospitable to microbial life. 
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N. Common Avionics Study Team (CAST) Technical Support 

In February of 2007, at the request of the Constellation Program Systems Engineer (PSE) at NASA/JSC, a 
Common Avionics Study Team (CAST) was formed and chartered to conduct a one month investigation of avionics 
commonality opportunities for both the Orion Crew Exploration Vehicle (CEV) spacecraft and the Ares I Upper 
Stage as a means to lower total system cost, weight, power, and DDT&E effort. This study engaged individuals from 
the CxP Projects (Orion and Ares I), System Engineering and Integration (SE&I), SE&I System Integration Groups 
(SIGs), the NESC and experts external to NASA. As such the CAST was a multi-disciplinary team that was 
supported with NESC resources. Both the NASA Technical Fellow for GN&C and the NASA Technical Fellow for 
Avionics/Power were members of the CAST team. 

The current Orion and Ares I Upper Stage architecture and design baselines were used as a starting point. This 
study broadly encompassed an investigation into the following electrical systems disciplines: Avionics, Software, 
Command & Data Handling (C&DH), Guidance, Navigation & Control (GN&C), Power, and Communications & 
Tracking. This investigation focused on the following key design aspects: Cost, Crew Safety, Mission Success, 
Reliability, Ground-based Serviceability, and Upgradeability. Lastly, to the extent possible the CAST attempted to 
understand future Constellation Program (CxP) avionics architectural concepts to ensure the team’s study 
recommendations did not impede future use. The CAST studied three types of commonality: 1) Commonality within 
elements of a product (top-down view), 2) Commonality within a product line (product line, top-down views), and 
3) Commonality across product lines (bottoms-up view). 

The CAST results pointed out that the greatest commonality/cost benefits for the program appear in reducing 
complexity within elements of a product and adopting a product line commonality approach for software reuse and 
hardware development. The most fundamental crew-safety related take-away message from this study was the 
following: Complexity “costs” in multiple ways and will impede the ability to understand potential safety risks. 
Complexity could negatively impact overall system reliability and may also interfere with, and limit, one’s ability to 
comprehensively validate the integrated GN&C/ Avionics/Software system. Another one of the CAST’s conclusions 
was that system complexity is a major driver for cost. This is because complexity drives the size of the project 
workforce and the project’s duration which both lead to higher system development cost. The study results also 
indicated that the crux of achieving the CxP commonality goals is through organizational and program/project 
management relationships. These relationships represent the biggest opportunity or barrier to achieve commonality. 


V. NESC Academy 

The NESC Academy (Fig. 10) was established to capture, share, and preserve the lifetimes of experiences and 
knowledge of NASA scientists and engineers and guide the next generation of the Agency’s technical staff, as they 
develop expertise in technical problem solving. The specific purpose of the NESC Academy is to broaden NASA 
engineers’ experiences and technical skills through interaction with the NASA Technical Fellows and their TDTs. 

To date the NESC, in partnership with the National Institute of Aerospace (NIA), has designed, developed and 
delivered seven different Academy courses. Each such course has been led by a NASA Technical Fellow with the 
support of their respective TDT. 

In J une of 2006, at the University of Maryland, the NESC Academy, in its second year of operation, presented its 
fourth 3-day classroom course entitled “Satellite Attitude Control Systems: Learning from the Past and Looking to 
the Future”. The NASA Technical Fellow for GN&C led the formulation of this new course and served as the 
principal lecturer. Other course instructors included members of the GN&C TDT from NASA’s Goddard Space 
Flight Center and from the Glenn Research Center, and from industry as well. The technical topics covered in this 
course included an overview of the GN&C engineering process, a summary of some key GN&C lessons learned, 
controls-structures interaction issues and solutions, spaceborne Global Positioning System (GPS) navigation 
techniques, advanced GN&C system trends and technology developments, and the implementation challenges of 
multivariable control systems. The classroom participants included approximately 30 technical personnel from 
several NASA Centers who left with new technical information, along with some new insights and perspectives on 
the GN&C discipline, all of which could be taken back to their home organizations and used throughout their 
GN&C careers. 
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Figure 11. NASA Technical Fellows Interacting With NESC Academy Students 

The NESC plans to offer a total of 1 1 Academy classroom courses by September 2008, each focusing on a 
specific discipline area such as materials, loads and dynamics, flight sciences, propulsion, and robotic operations. In 
each case the expectation is that members of each TDT will support their NASA Technical Fellow leader in the 
design and development of these classroom courses. The NESC Academy has also begun its next phase of 
instruction by offering online versions of the classroom courses via the NESC Academy website. 

VI. Conclusion 

This paper has described how the NESC was formed as an independent organization dedicated to promoting 
safety through engineering excellence. A resource for the Agency, it is a valuable problem solving asset for the 
high-risk programs that NASA has always undertaken. The NESC brings together some of NASA’s best engineers 
with experts from industry, academia, and other government agencies to address our highest risk, most complex 
issues. The NESC strives to cultivate a safety-focused culture focused on engineering and technical excellence, 
while fostering an open environment and attacking the Agency’s technical challenges with unequalled tenacity. 

The NESC is more than a problem-solving organization however. It is also an organization that works to 
improve the competence of our entire engineering workforce through the opportunity to work on challenging 
problems, through exposure to other people, tools, techniques and facilities from across the Agency, through 
discipline advancing proactive work, and through its promulgation of lessons learned via technical reports and the 
NESC Academy courses. 

The backbone of the NESC is the ready group of engineering experts organized into 15 discipline areas TDTs. In 
this paper the purpose of the NESC GN&C TDT has been highlighted and a number of their experiences described. 
The members of the GN&C TDT have contributed to solving problems in many of NASA’s human spaceflight and 
robotic spaceflight Programs and Projects. Their collective efforts have ranged from the assessment of the Orbiter 
Repair Maneuver technical feasibility to investigating the root cause of the ISS CMG failure to addressing to the 
proactive study of potential GN&C system commonality for the Constellation Program. 

The NESC, because of its demonstrated ability to focus the technical talent from across all NASA Centers to 
bear on diverse high priority problems has become a valuable resource to senior Agency decision makers. The 
NESC has established itself as a reliable, credible and respected organization within the Agency and is an 
outstanding example of Engineering Excellence in practice. This is evidenced by the increase in requests, from all 
levels of the Agency, for NESC support in resolving problems, reviewing activities, and conducting special studies. 
The NESC, employing the advantages of distributed “virtual organization” architecture has shown its ability to 
efficiently concentrate appropriate levels of technical expertise when and where needed to independently address 
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some of NASA’s most challenging and most visible problems. Some consider the NESC to be one of the Agency’s 
most positive post-Columbia success stories. 
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